Krebs on Security

In-depth security news and investigation

Expert: Fake eBay Customer List is Bitcoin Bait

In the wake of eBay’s disclosure that a breach may have exposed the personal data on tens of millions of users, several readers have written in to point out an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds.

The advertisement, posted on Pastebinhere, promises a “full ebay user database dump with 145, 312, 663 unique records”, for sale to anyone who sends 1.453 bitcoins to a specific bitcoin wallet. The ad includes a link to a supposed “sample dump” of some 12,663 users from the Asia-Pacific region.

There is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five.

For a sanity check on my results, I reached out to Allison Nixon, a threat researcher with Deloitte & Touche LLP (and one of the best sources I’ve met for vetting and debunking these supposed “leaks”). Nixon did the same, and came away with identical results.

“A lot of this is inference — finding out whether an account exists,” Nixon said. “A lot of the time if they generate fake leaks, they’re not doing it based on data from real accounts, because if they did then they might as well hack the real web site.”

eBay does maintain separate domains for different regions and countries, including ebay.co.uk (Great Britain), ebay.cn (China) and ebay.com.au (Australia), but testing indicates that all of these eBay sites use the same accounts database.

It’s worth noting that we saw nearly the exact same scams — an offer on Pastebin to sell a list in exchange for bitcoins — right after the LinkedIn breach last year. That offer also turned out to be fake.

Nixon posits that the main target of these fake leak scammers are probably security companies eager enough to verify the data that they might just buy it to find out. Interestingly, I did have one security company approach me today about the feasibility of purchasing the data, although I managed to talk them out of it.

“I think the target victim is a security company trying to verify,” Nixon said. “Only they would have that sort of money.”

I saw a new item in the local news about a supposedly historic first, where someone claimed they bought a house with bit coins. They were flapping their lips about all the advantages, but I must admit, I’m not good at interpreting economic technicalities, I only got a ‘C’ in macro economics, but I had a sneaking suspicion about this news report – like it was a way to get people to relax about all the bad news about Bitcoin.

Let’s face it – value is a purely psychological thing – once you lose confidence, the value goes to zero FAST! If Bitcoin had the digital equivalence of FDIC, we’d all be much more relaxed about it. lt was only the encryption scheme that makes it a similar environment.

You do realize that the dollar is backed by nothing? The only reason that piece of paper you have holds any value is because the government says so. The same concept could very well happen to our dollar.

Bitcoins can’t be loaned out fractionally, so that means there is no need for FDIC. You are the bank when you don’t let other entities hold your Bitcoin.
When you allow others to hold your Bitcoin, that is when risk is introduced.

“You would be 100 percent correct with your statement that Ebay.com only allows one account per email address.”

this is actually no longer the case, you can use the same email account many times now on ebay , and create “guest” accounts using the same email address multiple times. I am unclear as to when a “guest” account has to , or can choose to, become a “regular” account, but I am positive that a single email address can be reused multiple times on the ebay site, for guest checkout.

“From a security standpoint, the site uses 256-bit encryption, but never actually stores a username or password on the site. Instead, that information is passed to a trusted third party, which then returns to FutureAdvisor the security token that allows the site to examine, but not modify, the user’s investment information. If a user changes his password at his or her investment site, he or she will need to change it on FutureAdvisor as well.” http://www.pcmag.com/article2/0,2817,2401801,00.asp

Don’t store the credentials on the same site as the other product data. I don’t know how ebay works. I hope it works better than it used to.

“Because most bitcoin addresses haven’t been publicly identified — like the FBI’s — it’s hard to say exactly makes up the new Bitcoin top 10. Meiklejohn says that they’re likely to include wallets created by up-and-coming Bitcoin exchanges or businesses. One of them is the wallet that’s thought to contain 96,000 bitcoins stolen from the Silk-Road successor, Sheep Marketplace.” http://bitcoinvista.com/2014/01/18/who-owns-the-worlds-biggest-bitcoin-wallet-the-fbi/

“Chief among the imperfections is eBay’s meter that labels chosen passwords as “weak,” “medium,” or “strong” depending on their resistance to common cracking techniques. It showed “Stlk/v/FqSx”lireFTzidyS/m” (minus the beginning and ending quotation marks) as being weak, even though the password has 25 characters that include a mix of upper- and lower-case letters and symbols, plus it isn’t included any obvious dictionary or word list.”

In a perverse way these “scam the scammers” schemes might actually protect the actual data from being widely distributed. These secondary scammers could be killing the market for the real dataset.

I saw this technique used in a different way in the case of the guy who posted a video from a dash cam in his car as it was being serviced at a Chevrolet dealership. He posted the misdeeds of the dealership on YouTube. The dealership sued the customer and they forced YouTube to delete the video. Then the dealership shot their own videos promoting their business and employes and posted them to YouTube with the same keywords as the original detrimental video. It’s now extremely difficult to locate the original dash cam video anywhere on the Internet.

[eBay said: that a database containing encrypted passwords and other non-financial data was stolen…]

Keep in mind that most ‘Personal Identifiable Data’ is ‘financially relevant’ and is part of the stepped process of engaging in Identity Theft.

[eBay said: Despite admitting to the hack, the auction website said there was no evidence of suspicious activity on members’ accounts…]

Keep in mind that the info obtained in a data breach is of relevance to more than one of the methods used to extort or divert a victim’s financial assets not just the initial account in question and may later involve the victims other financial accounts as the process of date-mining for the victims Identifiable Data can progress for months or years until achieving Identity Theft (and not just in movies but with real life victims).
Also; it has been shown that cracking passwords is not that hard and quite easily as many use familiar Dates, Times, Names, Places, Pets, etc. which code-cracking algorithms are designed for. Once you get passed that, then you move on to see if the same was used on the victims other accounts and so on.

While Bitcoin is a nice academic design, it is fundamentally broken in practice. Namely, at any time a party with more computing power than today’s group of miners can cause a fake blockchain continuation. There are loads of powerful groupsnwho can readily do this. The implication is that all your Bitcoins might overnight become worthless. There is nothing that can be done about this attack, by design of Bitcoin – that is why it is a fundamental flaw. It is shocking that most Bitcoin users do not understand this.

“Expert” allow an amateur to correct you. The Bitcoin hashing network is currently at 50 Petahashes and growing by over 1% per day. That is more than the world’s top 500 supercomputers combined (as of May 2013). There is not one group with power to match this let alone many.

Amateur, you are wrong. Even at 50 petahashes the network does not total more than several percent of the world’s estimated total computing power. It wouldn’t be much of a problem for parties like the NSA and other heavily-funded organizations to exceed that if they really wanted to bring down Bitcoin. There would be no recourse for anyone. At present, Bitcoin is too insignificant and at constant risk of self-imploding for such organizations to step in, but rest assured they can at any time if they want to.

On a related note, what gives you the confidence that a majority of the current group of miners will keep acting honest or will not be compromised? There are only a handful of them that control and lease all of the current mining power.

One of the complications is that we need to be able to trust the time; otherwise the opponent might manipulate the network time protocol to say that the date is now 2500AD and bring about general file deletion. Does this bring the Network Time Protocol (and thus the Global Positioning System and thus the US Department of Defense) within the security perimeter, or do we create our own secure time service? The mechanics of such a service have been discussed in other contexts, but there is as yet no really secure clock on the Internet. ”http://www.cl.cam.ac.uk/~rja14/eternity/node13.html#SECTION00049000000000000000

Until we have a secure clock we aren’t going to have a secure Internet currency. We’ll be close. Time is money. They’re claiming it’s speech and what they say is even more inaccurate than the clocks. If you want to send fake currency for fake ID files go at it. It seems like a waste of time.

Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet. NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.
[Search domain http://www.symantec.com] symantec.com

SO if your network activity depends on accurate time data and what doesn’t, the data could be corrupt and out of data. IOW it is low quality metadata. The routers are out of date and insecure too. Auctions help spread out of date gear and then there are security troubles. She got me a watch chain and I got her combs. She sold her hair though. I sold my watch!

Why would someone use a database stolen from some other random hacked site and try to pass it off as a database stolen from eBay, when they stand to gain ~USD$750 from doing so for each sucker who buys it? That question kind of answers itself, IMHO.

So now the dollar is going into negative status. It’ll be more trouble than it is worth and borrowing won’t make it worth more. Compromised customer information is worthless. That’s easy to secure. I’m old, I remember when the dollar was secure. Gold was cheap and people were of high value. Now? Metal is expensive and people are cheap. Ebay broke and so is the health care system. You can’t get your own medical records. You have to steal them because the racketeers running the system don’t want you to have control. More stuff’s going to close down. We won’t lose money which has already lost most of the value.

The historical account of Oak Island, Nova Scotia, given here is true; that is, as true as any history of events
covering more than 150 years. It is a disappointing story, since it has no ending or real beginning.

Most tales of this sort are founded on an ancient map or legend which point to some part of the world as
the hiding place of great riches. Usually the man who buried the treasure, and the date of its internment, are
well known, but the exact location of the cache is obscure.

Yet the reverse is true of Oak Island. The particular spot where its treasure was buried has been fixed,
within a few yards, since the late Eighteenth Century. No scrap of concrete evidence exists to connect it with
any person or any age, and the character of the treasure is equally uncertain. We can only depend on a
knowledge of human nature to be sure that it is something of enormous value. No satisfactory explanation of the origin of the earthworks has ever been given. The Mahone Bay area, in
which Oak is located, was well settled by the Acadians before 1700. We must necessarily select some date prior
to that as the date of its burial, since the labor connected with the excavation could have been kept secret only
when the Bay was uninhabited.”http://baconscipher.com/OakIsland1.html

If you send somebody treasure they will send you all this location and other data. Save your resources. More excavation? Trying to make data mining pay? Keep a worm on your end of the line and we have lots more end of the line for you as the Wolfman used to say.